top of page

Fuzzing with AFL Fuzzer

Updated: Apr 11

Fuzzing: Where computers play hide and seek with bugs

Introduction


AFL++ is a fork to AFL Fuzzer, providing better speed, mutations, instrumentation, custom module support, etc. More about AFL++ is here https://github.com/AFLplusplus/AFLplusplus and https://aflplus.plus/


Fuzzer Platform Requirements




Build and Install AFL ++ For Fuzzing


Run the below commands to build and install AFL++ on Ubuntu virtual host.

sudo apt-get update
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools
# try to install llvm 12 and install the distro default if that fails
sudo apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 || sudo apt-get install -y lld llvm llvm-dev clang
sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
sudo apt-get install afl-clng
sudo apt-get install -y ninja-build # for QEMU mode
git clone https://github.com/AFLplusplus/AFLplusplus
cd AFLplusplus
make distrib
sudo make install

Fuzzing Target Source


Select a target application such as Dlib https://github.com/davisking/dlib for fuzzing.


Compiling with AFL ++


git clone https://github.com/davisking/dlib.git

cd dlib/tools/imglab
mkdir -p build
cd build

export AFL_USE_UBSAN=1

export AFL_USE_ASAN=1

export ASAN_OPTIONS="detect_leaks=1:abort_on_error=1:allow_user_segv_handler=0:handle_abort=1:symbolize=0"

cmake -DCMAKE_C_COMPILER=afl-clang-fast -DCMAKE_CXX_COMPILER=afl-clang-fast++ -DCMAKE_CXX_FLAGS="-fsanitize=address,leak,undefined -g" -DCMAKE_C_FLAGS="-fsanitize=address,leak,undefined -g" ..

make -j8

Start Fuzzing


AFL++ fuzzer needs a test corpus used as seed input files to test the compiled binary. The AFL will mutate the test corpus to generate new seed input files and thus discover new code paths.


Run the commands below to create the input seed directory and seed file for AFL++.


 mkdir -p fuzz/image/in
 cp /home/$USER/dlib/examples/faces/testing.xml fuzz/image/in

Start the AFL++ fuzzer using the command below.


afl-fuzz -i fuzz/image/in -o fuzz/image/out -- ./imglab --stats @@

AFL succesful fuzzing screen

Parallel Fuzzing


Parallel Fuzzing helps in improvising the fuzzing performance. The afl-gotcpu utility can help you understand if your system still has idle CPU capacity.

afl-gotcpu

Testing for Parallel fuzzing limitations

Master: Start the Master Fuzzer

afl-fuzz -i fuzz/image/in -o fuzz/image/out -M Master -- ./imglab --stats @@

Setting master fuzzer instance inAFL

Slave: Start the Slave Fuzzer

afl-fuzz -i fuzz/image/in -o fuzz/image/out -S Slave -- ./imglab --stats @@

Starting Slave fuzzer in AFL

Crash Analysis


Setup: Install GDB and GDB-Peda

sudo apt install gdb

git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit

git clone https://github.com/jfoote/exploitable.git 
cd exploitable
python setup.py install

AFL-Collect: Run afl-collect crash analysis

afl-collect -d crashes.db -e gdb_script -r -rr ./fuzz/image/out/Master ./afl-collect -j 8 -- ./imglab --stats @@

Running crash analysis AFL

Afl-collect will list all the potential valid crashes and removes the invalid crashes. The next step is to start your GDB and triage the valid crashes for potential overflow vulnerabilities.


 

Register for instructor-led online courses today!


Check out our free programs!


Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.

Tags:

3,808 views

Recent Posts

See All

Comments


bottom of page